Cisco Router Firewall Security (Paperback)

~ Richard Deal (Author)

Editorial Reviews

Product Description

Harden perimeter routers with Cisco firewall functionality and features to ensure network security

• Detect and prevent denial of service (DoS) attacks with TCP Intercept, Context-Based Access Control (CBAC), and rate-limiting techniques
• Use Network-Based Application Recognition (NBAR) to detect and filter unwanted and malicious traffic
• Use router authentication to prevent spoofing and routing attacks
• Activate basic Cisco IOS filtering features like standard, extended, timed, lock-and-key, and reflexive ACLs to block various types of security threats and attacks, such as spoofing, DoS, Trojan horses, and worms
• Use black hole routing, policy routing, and Reverse Path Forwarding (RPF) to protect against spoofing attacks
• Apply stateful filtering of traffic with CBAC, including dynamic port mapping
• Use Authentication Proxy (AP) for user authentication
• Perform address translation with NAT, PAT, load distribution, and other methods
• Implement stateful NAT (SNAT) for redundancy
• Use Intrusion Detection System (IDS) to protect against basic types of attacks
• Obtain how-to instructions on basic logging and learn to easily interpret results
• Apply IPSec to provide secure connectivity for site-to-site and remote access connections
• Read about many, many more features of the IOS firewall for mastery of router security

The Cisco IOS firewall offers you the feature-rich functionality that you've come to expect from best-of-breed firewalls: address translation, authentication, encryption, stateful filtering, failover, URL content filtering, ACLs, NBAR, and many others. Cisco Router Firewall Security teaches you how to use the Cisco IOS firewall to enhance the security of your perimeter routers and, along the way, take advantage of the flexibility and scalability that is part of the Cisco IOS Software package.

Each chapter in Cisco Router Firewall Security addresses an important component of perimeter router security. Author Richard Deal explains the advantages and disadvantages of all key security features to help you understand when they should be used and includes examples from his personal consulting experience to illustrate critical issues and security pitfalls. A detailed case study is included at the end of the book, which illustrates best practices and specific information on how to implement Cisco router security features.

Whether you are looking to learn about firewall security or seeking how-to techniques to enhance security in your Cisco routers, Cisco Router Firewall Security is your complete reference for securing the perimeter of your network.

This book is part of the Networking Technology Series from Cisco Press, which offers networking professionals valuable information for constructing efficient networks, understanding new technologies, and building successful careers.

About the Author

Richard A. Deal has 18 years experience in the computing and networking industry including networking, training, systems administration, and programming. In addition to a B.S. in mathematics and computer science from Grove City College, Richard holds many certifications from Cisco, including the CCNP and CCSP(tm) certifications. For the past seven years, Richard has operated his own company, The Deal Group, Inc., in Orlando, Florida.

Product Details

• Paperback: 912 pages
• Publisher: Cisco Press (August 20, 2004)
• Language: English
• ISBN-10: 1587051753
• ISBN-13: 978-1587051753
• Product Dimensions: 9.1 x 7.4 x 2.1 inches
• Shipping Weight: 3.2 pounds (View shipping rates and policies)
• Average Customer Review: 4.7 out of 5 stars  See all reviews (7 customer reviews)
• Amazon.com Sales Rank: #726,637 in Books (See Bestsellers in Books)

  Popular in this category: (What's this?)

  #29 in

  Books > Computers & Internet > Security & Encryption > Firewalls

Customer Reviews

Most Helpful Customer Reviews

7 of 8 people found the following review helpful:

4.0 out of 5 stars Just what a technical Cisco book should cover, May 19, 2005

By	Richard Bejtlich "TaoSecurity.com" (Metro Washington, DC) - See all my reviews (TOP 500 REVIEWER)    (REAL NAME)

I really enjoyed reading Cisco Router Firewall Security (CRFS) by Richard Deal. This book delivers just what a technical Cisco book should: discussion of concepts, explanation of command syntax, and practical examples. The author offers several ways to solve a security problem and then recommends his preferred choice. He correctly leans towards applying cryptography when available and avoids clear-text authentication methods or control channels. If you avoid the first chapter and keep a few minor caveats in mind, I would consider CRFS to be a five-star book.

CRFS covers all of the major technologies I hoped to see in a book on Cisco security functions. Though published in August 2004, it manages to provide details on the newest Cisco IOS features that contemporary books often ignore. For example, the author emphasizes the benefits of configuring SSH access, and not only SSHv1; he explains that SSHv2 is preferred. I found the book's coverage of access control lists to be very clear, and I appreciated the author's discussions of strengths and weaknesses of different ACL types. Mr. Deal is also very conscious of the load placed on the router whenever higher-end security features or traffic inspection is invoked. His warnings provide operational insights to using IOS security features. Beginning with chapter 3, each section presented just the information I needed to implement various security features.

I gave CRFS four stars, and not five, because I found some of the author's perceptions of security to be confusing or sometimes wrong. He repeats at least five times the oft-quoted but never substantiated myth that "70 percent of network attacks" are internal. This is completely backwards, according to CSI/FBI and Secret Service studies that say around 70 percent of attacks are caused by outsiders. While some of the most devastating incidents are indeed perpetrated by insiders, the majority of attacks continue to be launched from outside the security perimeter. While this point may not seem that significant, it is not a solid footing on which the author can justify certain security recommendations.

While reading CRFS I also sensed that neither the author nor his technical editors were security professionals. I do not mean that they do not or have not handled security incidents. In fact, several of Mr. Deal's stories explicitly and properly address intrusions and other events. Rather, I sensed the author and his team were networking professionals first, with security duties tacked on. For example, p. 8 lists applications, the OS, and network infrastructure as "threats to your company's network." These have vulnerabilities -- they are not threats. On p. 28 Mr. Deal says "SSL can protect only web application traffic," but this is wrong. Pages 31-33 lists "some of the most common" DoS attacks, but the explanations there of chargen and ping of death attacks are wrong. WinNuke, a Windows DoS exploit from 1997, is also listed! Page 94 says "IDS solutions are still in their infancy," although they have been deployed for over 10 years. These and related security misperceptions made me believe a person with a primary security role should have reviewed CRFS.

It is easy to overlook these security faux pas, however. CRFS does a better job describing some security issues than other security-focused books. For example, I found the coverage of the effects of DoS attacks upon a router to be better than books specifically written about DoS! Mr. Deal frequently advocates monitoring as a way to know what is happening on the network, and I found his IDS deployment guidance to be sound.

To the extend I could evaluate Mr. Deal's discussion of Cisco features, I believe they are correct. One notable exception involves using the established keyword with ACLs. On p. 269 and elsewhere, the author claims "the established keyword looks to see if the ACK, FIN, PSH, RST, SYN, or URG TCP control flags are set. If they are, the TCP traffic is allowed in." This is incorrect; established looks for only the ACK or RST flags. This is not a major concern as other filtering options provide better defense anyway.

Overall, I consider CRFS to be an excellent piece of work. I am adding it to my recommended reading lists and I strongly suggest than anyone using Cisco routers in their perimeter read and heed this book. Keep an eye out for Mr. Deal's next book on building VPNs with Cisco gear.

3 of 3 people found the following review helpful:

5.0 out of 5 stars Arm yourself--secure and defend your network!, April 2, 2005

By	Fuller Stallworth, IT Infrastructure Analyst (Washington, DC Metropolitan Area) - See all my reviews

Cisco Router Firewall Security by Richard A. Deal is one firewall security book no networking professional should be without. The book begins with an overview on network security and firewalls, and continues with a showcase of Deal's extensive knowledge and experience configuring the Cisco IOS Firewall. Now, rather than re-inventing the wheel or relying on trial and error practices in configuring your Cisco IOS firewalls, you too can incorporate Deal's extensive Cisco Router Firewall Security expertise into your network security plan, or environment. In each chapter of the book, Deal walks you through best practice Cisco Router Firewall Security configuration as he explains and demonstrates, step-by-step, how to program the Cisco IOS Firewall feature set-from router security management to virtual private networking.

Networking professionals having an intermediate to advanced knowledge of Cisco routers, or at least a Cisco CCNA certification will benefit immensely from reading and applying the Cisco IOS firewall security features discussed in the book. All concepts and examples, such as configuration command files, are clearly explained against the backdrop of example network illustrations and thus easy to follow. Deal reinforces each and every illustration with appropriate, well-executed discussions for you to follow as he pin-points the reasons for implementing, or applying, Cisco IOS firewall security and how best to configure it for maximum advantage.

For networking professionals interested in pursuing a Cisco security certification, Cisco Router Firewall Security provides a wealth of tips, recommendations, considerations and cautions. While there is no CD-ROM included with the book, an abundance of configuration command file listings provide network administrators and engineers the opportunity of a virtual experience in the nuts-and-bolts of configuring Cisco IOS firewalls in a secure manner. Networking professionals will develop an unparalleled depth of understanding in best practice network security-such as properly securing the various modes and methods of accessing Cisco routers as well as the Cisco IOS firewall.

On a scale of 1 - 5, 5 being the highest, and in terms of usefulness and practical application, Cisco Router Firewall Security easily rates a 5. Network engineers and administrators will benefit immensely from this handbook of network security: from the illustrations showing where and why network security should be applied, the index which is strictly focused on cross-referencing network security topics, and the solid network security advice that reaches beyond Cisco-centric networking environments. Future books by Deal, as well as his previous book, PIX Firewalls, will undoubtedly prove to be excellent reading for the networking community at large seeking to increase the security of their networks and to ward off ever-increasing network attacks and intrusions.

If shooting from the hip in dealing with network security issues is your stick, Cisco Router Firewall Security is the book for you. Cisco Router Firewall Security provides a smorgasbord of tried and tested network security process, procedure and application-providing a comprehensive set of tools and case study material that can be either adapted in whole or in part when making your case, or justifying, how you intend to protect or defend your network against attacks.

Without question, you absolutely must add Deal's Cisco Router Firewall Security-a stellar treatise on both applied network security and applied firewall security-to your networking bookshelf. Arm yourself with the necessary knowledge, skills and practical application to secure and defend your network-and in essence your job-or else, you're fired!

3 of 3 people found the following review helpful:

4.0 out of 5 stars Securing the Edge, March 18, 2005

By	Joel E. Natt (Atlanta, GA USA) - See all my reviews (REAL NAME)

The Cisco Press Book "Cisco Router Firewall Security" by Richard Deal while claiming to be for individuals or organizations "using a Cisco router as a perimeter firewall solution" is much more and I believe from that quote it was designed to be a reference guide for using routers to do just that: be a perimeter firewall for an organization. But what Richard Deal delivered is not only an excellent book on implementing a router as the firewall, but a detailed guide and approach to making any organizations routers secure and safe as they should be to develop a safe environment. To emphasis my comments on this thought you simply need to look at the break down of the chapters, like Chapter 4 "Disabling Unnecessary Services", and while this is important for any perimeter device, doing it in general on a router regardless of location helps to strength the environment and deliver a more secure network.

Within the book Richard emphasizes that an individual can either read it cover to cover, or skip around and I agree that at sometimes reading cover to cover especially if you do not know a subject is an excellent approach, but with this one even not knowing and using it for the references offers is just as much benefit. Cause within the individual sections of the book there's enough information that you will not get lost as long as you have understanding of other Cisco devices like TACACS+ or general network concepts like RADIUS. Richard presents clear examples and details the steps to implement many of the book suggestions without much issue. I was able to take one of my lab routers and execute numerous of his examples without difficulty and still have the unit function as expected.

While Cisco continues to publish new IOS code for their devices Richard spends a few minutes at different points like in Chapter 6 "Basic ACL Configuration" to highlight which version of IOS is needed to accomplish the issue being explained. Considering this feature does help to enhance the value of the book even further, but amongst my favorite chapters and section was Part VI "Managing Access through Routers" for he the book combined numerous prior items from Access Control List (ACL) configuration to routing protocols and authentication proxy using features like AAA with both TACACS+ and RADIUS. These configuration examples combined with Part VIII on "Virtual Private Networks (VPN)" only go to enhance each other. Yet as mentioned before the book was designed to allow individuals to either research a sub-set of the features in a router or the entire book itself. Thus in the middle of what appears to be two clear parts that would naturally fit together Part VI and VIII, Richard places Part VII on "Detecting and Preventing Attacks" demonstrates this feature covering areas of Intrusion Detection Systems, DoS Protection and Logging Events. The concept that attacks could come in any form, but commonly from external interaction is widely known. Seeing this section of the book only goes further to enforce and emphasis the importance of securing routers to protect the network.

As anyone in the Information Technology industry is aware it is important to protect the environment and to say that this book could not help in that protection is a clear understatement. I believe that anyone from the "small business jack of all trade IT person" to the "corporate IT Network Specialist" could benefit in some manor from this book and the explanations and examples presented. If I was to say there was one thing I would do different on this book is of had it published in a hard bound cover cause Cisco Press has not often published a book that does not have a clear basis for use and this book is no except to that, thus I believe it would be a benefit and often used book of any network individuals library.